Armin, It would be easy enough for us to add the "Not a local domain" match for the adaptive ban, our only concern is to make sure this isn't a common misconfiguration case and cause more problems than it helps.
Would it be possible to capture a SIP packet for each of these cases ? For example: -- ngrep -d eth0 -qt -W byline port 5060 -- or possibly redirected to a file for a new minutes and you can then ^C and look through the file for matches to your Asterisk logs to identify it. That would really help, your public IP address would need to be obscured, feel free to show the bad guys IP :-) Only one example for each case is needed. On a related note, in the next release of AstLinux (1.2.0) we have added a new sip-user-agent plugin: http://doc.astlinux.org/userdoc:tt_firewall_plugins#sip-user-agent If you must listen to a common SIP port and allow any IP address, you may be able to "whitelist" a set of User-Agent's or at least minimally blacklist the common bad ones. Of course the "sip-user-agent" plugin should be the last resort after manual firewall rules and the "dyndns-host-open" plugin, or of course TCP TLS. Lonnie On Sep 25, 2014, at 1:19 PM, Armin Tüting <armin.tuet...@tueting-online.com> wrote: >> Hi Armin, > Hi Lonnie, > >> 1) Your first "Failed to authenticate device" can't be banned since there is >> no "real" IP address logged, only what is in the sip: header, which can't be >> trusted. > Ok - what other option are available. > > ... > >> Are you seeing this from bad guys ? Or could this be a misconfigured client >> ? > Both adtemps are from bad guys. They're just trying the standard numbers. > >> Lonnie > Armin. > > ------------------------------------------------------------------------------ > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
